SYMBOLCOMMON_NAMEaka. SYNONYMS
win.liteduke (Back to overview)

LiteDuke

Actor(s): APT29


According to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as PolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke supports a large number of individual commands including host information retrieval, file upload and download, and the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware communicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in better with normal HTTP traffic.
ESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.

References
2020-05-18One Night in NorfolkKevin Perlow
@online{perlow:20200518:looking:eaa7bde, author = {Kevin Perlow}, title = {{Looking Back at LiteDuke}}, date = {2020-05-18}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/looking-back-at-liteduke/}, language = {English}, urldate = {2020-05-18} } Looking Back at LiteDuke
LiteDuke
2020-03-26VMWare Carbon BlackScott Knight
@online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
Yara Rules
[TLP:WHITE] win_liteduke_auto (20230125 | Detects win.liteduke.)
rule win_liteduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.liteduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b7508 8b5d0c 893424 e8???????? 83fb02 7439 8b5514 }
            // n = 7, score = 200
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   893424               | mov                 dword ptr [esp], esi
            //   e8????????           |                     
            //   83fb02               | cmp                 ebx, 2
            //   7439                 | je                  0x3b
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]

        $sequence_1 = { c74424043d000000 891c24 e8???????? 8b45d8 891c24 89442404 e8???????? }
            // n = 7, score = 200
            //   c74424043d000000     | mov                 dword ptr [esp + 4], 0x3d
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   891c24               | mov                 dword ptr [esp], ebx
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   e8????????           |                     

        $sequence_2 = { c3 8b06 8b4dd4 894c2408 c744240400000000 890424 e8???????? }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   c744240400000000     | mov                 dword ptr [esp + 4], 0
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_3 = { 8b55c4 894594 894da4 8b4234 85c0 0f8444010000 40 }
            // n = 7, score = 200
            //   8b55c4               | mov                 edx, dword ptr [ebp - 0x3c]
            //   894594               | mov                 dword ptr [ebp - 0x6c], eax
            //   894da4               | mov                 dword ptr [ebp - 0x5c], ecx
            //   8b4234               | mov                 eax, dword ptr [edx + 0x34]
            //   85c0                 | test                eax, eax
            //   0f8444010000         | je                  0x14a
            //   40                   | inc                 eax

        $sequence_4 = { 8b8558ffffff 6bd60c 89442408 8b8560ffffff 898dc4feffff 8b401c 8985ccfeffff }
            // n = 7, score = 200
            //   8b8558ffffff         | mov                 eax, dword ptr [ebp - 0xa8]
            //   6bd60c               | imul                edx, esi, 0xc
            //   89442408             | mov                 dword ptr [esp + 8], eax
            //   8b8560ffffff         | mov                 eax, dword ptr [ebp - 0xa0]
            //   898dc4feffff         | mov                 dword ptr [ebp - 0x13c], ecx
            //   8b401c               | mov                 eax, dword ptr [eax + 0x1c]
            //   8985ccfeffff         | mov                 dword ptr [ebp - 0x134], eax

        $sequence_5 = { c1e110 09ce 8b8d60ffffff 09d9 89d3 898d60ffffff 89c1 }
            // n = 7, score = 200
            //   c1e110               | shl                 ecx, 0x10
            //   09ce                 | or                  esi, ecx
            //   8b8d60ffffff         | mov                 ecx, dword ptr [ebp - 0xa0]
            //   09d9                 | or                  ecx, ebx
            //   89d3                 | mov                 ebx, edx
            //   898d60ffffff         | mov                 dword ptr [ebp - 0xa0], ecx
            //   89c1                 | mov                 ecx, eax

        $sequence_6 = { 8b55e4 891c24 89542404 8945dc e8???????? 8b5638 89542404 }
            // n = 7, score = 200
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   891c24               | mov                 dword ptr [esp], ebx
            //   89542404             | mov                 dword ptr [esp + 4], edx
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   e8????????           |                     
            //   8b5638               | mov                 edx, dword ptr [esi + 0x38]
            //   89542404             | mov                 dword ptr [esp + 4], edx

        $sequence_7 = { 8b4de4 894318 85c9 0f842fffffff 6690 8b55b4 85d2 }
            // n = 7, score = 200
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   894318               | mov                 dword ptr [ebx + 0x18], eax
            //   85c9                 | test                ecx, ecx
            //   0f842fffffff         | je                  0xffffff35
            //   6690                 | nop                 
            //   8b55b4               | mov                 edx, dword ptr [ebp - 0x4c]
            //   85d2                 | test                edx, edx

        $sequence_8 = { dae9 dfe0 80e445 80f440 c9 0f95c2 31c0 }
            // n = 7, score = 200
            //   dae9                 | fucompp             
            //   dfe0                 | fnstsw              ax
            //   80e445               | and                 ah, 0x45
            //   80f440               | xor                 ah, 0x40
            //   c9                   | leave               
            //   0f95c2               | setne               dl
            //   31c0                 | xor                 eax, eax

        $sequence_9 = { 8b5d14 8b441004 85c0 7428 8d55f4 89542404 8b4004 }
            // n = 7, score = 200
            //   8b5d14               | mov                 ebx, dword ptr [ebp + 0x14]
            //   8b441004             | mov                 eax, dword ptr [eax + edx + 4]
            //   85c0                 | test                eax, eax
            //   7428                 | je                  0x2a
            //   8d55f4               | lea                 edx, [ebp - 0xc]
            //   89542404             | mov                 dword ptr [esp + 4], edx
            //   8b4004               | mov                 eax, dword ptr [eax + 4]

    condition:
        7 of them and filesize < 1171456
}
Download all Yara Rules